Re: samba-technical Digest, Vol 107, Issue 9

Rohit Sharma rohitsharma2112 at rediffmail.com
Mon Nov 7 23:03:15 MST 2011 

Jar plz plz not send me message


From: samba-technical-request at lists.samba.org
Sent:Tue, 08 Nov 2011 04:09:33 +0530
To: samba-technical at lists.samba.org
Subject: samba-technical Digest, Vol 107, Issue 9
Send samba-technical mailing list submissions to
>    samba-technical at lists.samba.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.samba.org/mailman/listinfo/samba-technical
> or, via email, send a message with subject or body 'help' to
>    samba-technical-request at lists.samba.org
> 
> You can reach the person managing the list at
>    samba-technical-owner at lists.samba.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of samba-technical digest..."
> Today's Topics:
> 
>    1. Re: Confused [Was: Upgrade from S3 to a Samba4 DC [with
>       LDAPSAM]] (Adam Tauno Williams)
>    2. Unable to use/access newly upgraded domain [Was: Upgrade from
>       S3 to   a Samba4 DC [with LDAPSAM]] (Adam Tauno Williams)
>    3. Re: talloc use after free in samba3upgrade (Adam Tauno Williams)
> On Wed, 2011-11-02 at 12:01 -0400, Adam Tauno Williams wrote:
> > Quoting Andrew Bartlett <abartlet at samba.org>:
> > > On Mon, 2011-10-31 at 15:54 -0400, Adam Tauno Williams wrote:
> > >> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > >> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > >> >> So I have an S4 instance I've built from an upgrade of a Samba 3
> > >> >> LDAPSAM domain.
> > >> >> I took an XP workstation off the production network, created the
> > >> >> Samba4 instance, brought it up on its own network and connected the
> > >> >> XP workstation.  Attempting to login on the XP workstation and it
> > >> >> says "domain unavailable".  Hrmm....
> > >> >> I can get tickets as an 'upgraded' domain user.
> > >> >>  kinit adam at MICORE.US
> > >> >> DNS is working.
> > >> >>  host -t SRV _ldap._tcp.micore.us.
> > >> >>  host -t SRV _kerberos._udp.micore.us.
> > >> >>  host -t A barbel.micore.us.
> > >> >> But -
> > >> >> Ignoring unknown parameter "server role"
> > >> >> SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> > >> >> barbel:~ # net getdomainsid
> > >> >> Ignoring unknown parameter "server role"
> > >> >> SID for local machine BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> > >> >> Could not fetch domain SID
> > >> >> ... should the domain SID be fetchable?  Is the upgraded domain
> > >> >> somehow disabled?
> > >> >> That is the same SID as the S3 DC.
> > >> > Attempting to access the domain from the XP workstation by
> > >> > specifying \\{serverName}\netlogon and using "BACKBONE\adam" and the
> > >> > password appears to authenticate but then fails with a "The security
> > >> > ID structure is invalid."  [BACKBONE was the NetBIOS domain of the
> > >> > upgraded domain].
> > >>
> > >> I Updated the Samba4 to the latest git [4.0.0alpha18-GIT-63c7107]
> > >>
> > >> It appears the error is here -
> > >> [2011/10/31 15:49:00,  5]  
> > >> ../source4/dsdb/samdb/samdb.c:81(samdb_credentials)
> > >>    (normal if no LDAP backend) Could not find entry to match filter:
> > >> '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such
> > >> object: (null)
> > >> [2011/10/31 15:49:00,  5]  
> > >> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> > >>    Starting GENSEC mechanism spnego
> > >> [2011/10/31 15:49:00,  5]  
> > >> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> > >>    Starting GENSEC submechanism gssapi_krb5
> > >> [2011/10/31 15:49:00,  1]
> > >> ../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
> > >>    GSS server Update(krb5)(1) Update failed:  An unsupported mechanism
> > >> was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
> > >> [2011/10/31 15:49:00,  1]
> > >> ../source4/auth/gensec/spnego.c:555(gensec_spnego_parse_negTokenInit)
> > >>    SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > >> [2011/10/31 15:49:00,  2]
> > >> ../source4/auth/gensec/spnego.c:727(gensec_spnego_server_negTokenTarg)
> > >>    SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> > >> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> > >>    smbsrv_recv
> > >> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> > >>    smbsrv_recv
> > >> [2011/10/31 15:49:00,  5]
> > >> ../source4/smb_server/smb/receive.c:507(switch_message)
> > >>    switch message SMBtconX (task_id 0:2328.0)
> > >> Is this a problem in the provisioned database [No such object: (null)]
> > >> or in some interaction with the XP client [unknown mech-code 0 for
> > >> mech].
> > > I'm not really sure what is wrong here.  It isn't the [No such object:
> > > (null)] because that is '(normal if no LDAP backend)'.  I will remove
> > > the confusing error message here to avoid this being raised again.
> > > Somehow the ticket isn't being accepted by GSSAPI, and we need to work
> > > out why that is.  Does the same thing happen with smbcleint (from
> > > samba4) using this command?
> > >  smbclient //server/share -k yes
> > barbel:~ # smbclient //barbel/tmp -k yes
> > smb: \> ls
> > NT_STATUS_INVALID_SID listing \*
> > Error in dskattr: NT_STATUS_INVALID_SID
> > smb: \>
> > I think because the box is not a DC that winbind isn't working.   
> > getent passwd makes many calls the Samba, and takes some time, but  
> > then pretty much returns just the contents of /etc/passwd and some  
> > stand-in entries
> 
> Any thoughts?  I tried this again from the beginning and still end up in
> the same stopping point.
> 
> Note that I have to do the upgrade from an older GIT checkout due to the
> issue that current builds will not read the TDB files [the "talloc use
> after free" error/thread].
> 
> > ....
> > named:x:44:44:Name server daemon:/var/lib/named:/bin/false
> > dhcpd:x:104:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
> > Administrator:*:0:100::/home/BACKBONE/Administrator:/bin/false
> > Guest:*:3000008:99::/home/BACKBONE/Guest:/bin/false
> > krbtgt:*:3000009:100::/home/BACKBONE/krbtgt:/bin/false
> 
> 
> 
> 
> 
> On Tue, 2011-11-01 at 12:36 +1100, Andrew Bartlett wrote:
> > On Mon, 2011-10-31 at 15:54 -0400, Adam Tauno Williams wrote:
> > > It appears the error is here -
> > > [2011/10/31 15:49:00,  5] ../source4/dsdb/samdb/samdb.c:81(samdb_credentials)
> > >    (normal if no LDAP backend) Could not find entry to match filter:  
> > > '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such  
> > > object: (null)
> > > [2011/10/31 15:49:00,  5] ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> > >    Starting GENSEC mechanism spnego
> > > [2011/10/31 15:49:00,  5] ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> > >    Starting GENSEC submechanism gssapi_krb5
> > > [2011/10/31 15:49:00,  1]  
> > > ../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
> > >    GSS server Update(krb5)(1) Update failed:  An unsupported mechanism  
> > > was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
> > > [2011/10/31 15:49:00,  1]  
> > > ../source4/auth/gensec/spnego.c:555(gensec_spnego_parse_negTokenInit)
> > >    SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > > [2011/10/31 15:49:00,  2]  
> > > ../source4/auth/gensec/spnego.c:727(gensec_spnego_server_negTokenTarg)
> > >    SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> > > [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> > >    smbsrv_recv
> > > [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> > >    smbsrv_recv
> > > [2011/10/31 15:49:00,  5]  
> > > ../source4/smb_server/smb/receive.c:507(switch_message)
> > >    switch message SMBtconX (task_id 0:2328.0)
> > > Is this a problem in the provisioned database [No such object: (null)]  
> > > or in some interaction with the XP client [unknown mech-code 0 for  
> > > mech].
> > I'm not really sure what is wrong here.  It isn't the [No such object:
> > (null)] because that is '(normal if no LDAP backend)'.  I will remove
> > the confusing error message here to avoid this being raised again.
> > Somehow the ticket isn't being accepted by GSSAPI, and we need to work
> > out why that is.  Does the same thing happen with smbcleint (from
> > samba4) using this command?
> >  smbclient //server/share -k yes
> 
> Also if I try to log onto a workstation as a domain user I simply
> receive a "The system cannot log you on now because domain BACKBONE is
> not available".  That attempt doesn't seem to cause any log activity on
> the server.
> 
> In this case the client is 10.66.77.100 and the "DC" is 10.66.77.1 (my
> laptop is 10.66.77.2, but it is only ssh'd to the DC).
> 
> BootAndLogin.pcap is all the traffic between the workstation and the
> client up to and including attempting to login as a domain user.
> 
> Then if I login as local Administrator on the workstation I can see the
> DC in "Windows Explorer" *and* see shares.  Browsing the server prompts
> for - and accepts - a domain user's credentials.  But then the shares
> are inaccessible.  Oddly, in Windows Explorer the navigation tree
> appears as -
> 
> - Microsoft Windows Network
>   + Backbone
>     + PC02372
>   + Unknown
>     + Barbel
> 
> Where PC02372 is the workstation and Barbel is the DC.  Almost as if the
> migrated domain ended up with a different NetBIOS name (???).
> 
> The output of the upgrade/provisioning with samba-tool said -
> 
> ....
> Once the above files are installed, your Samba4 server will be ready to
> use
> Server Role:           domain controller
> Hostname:              BARBEL
> NetBIOS Domain:        BACKBONE
> DNS Domain:            micore.us
> DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
> Admin password:        None
> Importing WINS database
> Importing Account policy
> ...
> 
> 
> barbel:~ # /opt/s4/sbin/samba --version
> Version 4.0.0alpha18-GIT-fa5475e
> 
> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > Quoting "Stefan (metze) Metzmacher" <metze at samba.org>:
> >> Am 28.10.2011 00:26, schrieb Andrew Bartlett:
> >>> On Thu, 2011-10-27 at 08:40 -0400, Adam Tauno Williams wrote:
> >>>> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >>>>> On Tue, 2011-09-20 at 08:16 -0700, Andrew Bartlett wrote:
> >>>>>> On Mon, 2011-09-19 at 22:20 +0200, Pavel Herrmann wrote:
> >>>>>>> On Monday 19 of September 2011 16:03:20 Adam Tauno Williams wrote:
> >>>>>>>> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >>>>>>>> linux-hvej:~ # /opt/s4/sbin/samba-tool user setpassword administrator
> >>>>>>>> New Password:
> >>>>>>>> Changed password OK
> >>>>>>>>  --- kinit says my password expired, and can't change it (???
> >>>>>>>> linux-hvej:~ # kinit administrator at MICORE.US
> >>>>>>>> Password for administrator at MICORE.US:
> >>>>>>>> Password expired.  You must change it now.
> >>>>>>>> Enter new password:
> >>>>>>>> Enter it again:
> >>>>>>>> kinit: Password has expired while getting initial credentials
> >>>>>>> you can try setting passwords to never expir
> >>>>>>> samba-tool pwsettings set --max-pwd-age=0
> >>>>>> If this is required, it means that the password polices were not
> >>>>>> upgraded correctly.  This was a bug in earlier versions of this tool,
> >>>>>> but I thought it had been fixed.
> >>>>>> If this is still happening with current GIT, can you get me the ldif of
> >>>>>> your domain object?  I want to check that the maxPwdAge is is negative
> >>>>>> nanoseconds, not positive seconds.  (NTTIME vs unix time).
> >>>>> I'll update my git, rebuild, and import again [hopefully today, but it
> >>>>> may take a couple of days]
> >>>> I finally got back to my AD migration.  After pulling the git and
> >>>> rebuilding the import now fails completely.
> >>>> linux-hvej:~ # samba-tool domain samba3upgrade --dbdir=/tmp/x   
> >>>> /tmp/x/smb.conf
> >>>> Reading smb.conf
> >>>> Provisioning
> >>>> no talloc stackframe around, leaking memory
> >>>> Exporting account policy
> >>>> Exporting groups
> >>>> talloc: access after free error - first free may be at ?? [wonky  
> >>>> characters]
> >>>> Bad talloc magic value - access after free
> >>>> Aborted
> >>> Can you run it under valgrind, eg:
> >>> valgrind /usr/bin/python /usr/local/samba/sbin/samba-tool domain
> >>> samba3upgrade --dbdir=/tmp/x  /tmp/x/smb.conf
> >>> There will be noise from python's own allocation libs, but it should
> >>> also give us the clue we need here.
> > Output of the valgrind is attached.
> 
> And this one is with the correct path to samba-tool. :)
> 
> valgrind /usr/bin/python /opt/s4/sbin/samba-tool domain samba3upgrade  
> --dbdir=/tmp/x  /tmp/x/smb.conf
> 
> 
> 
> > linux-hvej:~ # /opt/s4/sbin/samba --version
> > Version 4.0.0alpha18-GIT-1d53109
> 
> 
> _______________________________________________
> samba-technical mailing list
> samba-technical at lists.samba.org
> https://lists.samba.org/mailman/listinfo/samba-technical
>

More information about the samba-technical mailing list